Scouring the Business of Technology

SQL Injection

By now you’re probably familiar with the risk of SQL injection attacks. Just to refresh your memory, this is when a naughty user of your site gets actual SQL statements to execute by way of a form on your page. If you concatenate strings to form SQL commands, you’re at risk. Consider this spot of code:

Seems innocent enough, right? If someone knows that your code looks like that, you could be in a world of hurt. For example, if the user entered the following in the NameTextBox:

' OR 1=1 --

The actual SQL statement would be:

SELECT * FROM User WHERE Name = '' OR 1=1 --' AND Password = ''

The important part is the double dash, which comments out the rest of the statement. The 1=1 part adds a condition to the select that will include every row, because, well, 1 always equals 1. If you were using this to authenticate a user, they can enter anything and be logged in.

But it could be much worse. If your database connection string is using some privileged account (like, God forbid, the sa account in SQL Server), the naughty user could do more damage by putting a semi-colon (to make the command compound) followed by some DROP command to nuke your entire database, or execute a command line like “format d:” or something equally sinister. That wouldn’t be much fun.